WSE 3.0 Client + WCF STS + WCF Service  
  Index .NET Development ASMX Web Services and XML Serialization
Author Message
dc75
PostPosted: ASMX Web Services and XML Serialization, WSE 3.0 Client + WCF STS + WCF Service Top

I am trying to integrate a WSE 3.0 client with our completed WCF STS and a WCF Sample Service. The WSE 3.0 client is able to retrieve the SAML token from the STS OK but when it tries to generate a secure conversation with the WCF Sample Service there is a failure on the WCF SampleService end.

The 1st error seemed to be because of DerivedKey tokens ('There was an error deserializing the security token XML. Please see the inner exception for more details.') in the SOAP message so I turned that to 'false'.

Then the WCF SampleService gave an error about the primary signature ('The primary signature must be encrypted.') - updating the message protection order from SignBeforeEncryptAndEncryptSignature to SignBeforeEncrypt resolved that issue.

Then the WCF SampleService gave the following error 'Cannot resolve KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier'.

After this I tried to not use secure conversation between the WSE 3.0 Client and WCF SampleService but then I got the error 'No signature message parts were specified for messages with the ' http://www.hide-link.com/ ' action.'

The config for the service is shown below

<system.serviceModel>

<services>

<service behaviorConfiguration="ServiceBehavior" name="SampleService.HelloWorldUserNameService">

<endpoint binding="customBinding" address="" bindingConfiguration="ServiceUserNameBinding" contract="SampleService.IHelloWorld"/>

</service>

<service behaviorConfiguration="ServiceBehavior" name="SampleService.HelloWorldX509Service">

<endpoint binding="customBinding" address="" bindingConfiguration="ServiceX509Binding" contract="SampleService.IHelloWorld"/>

</service>

</services>

<bindings>

<customBinding>

<binding name="MutualCertificateBinding">

<security authenticationMode="MutualCertificate"

requireSecurityContextCancellation="false"

requireSignatureConfirmation="false"

messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"

requireDerivedKeys="true"

messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">

</security>

<!-- Required for WSE 3.0 clients -->

<textMessageEncoding messageVersion="Soap12WSAddressingAugust2004"/>

<httpTransport/>

</binding>

<binding name="ServiceUserNameBinding">

<security authenticationMode="SecureConversation">

<secureConversationBootstrap authenticationMode="IssuedToken"

messageProtectionOrder="SignBeforeEncrypt"

requireDerivedKeys="true"

requireSignatureConfirmation="false"

messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">

<issuedTokenParameters tokenType=" http://www.hide-link.com/ #SAMLV1.1">

<issuer address="http://localhost/SecurityTokenService/Service.svc" bindingConfiguration="MutualCertificateBinding" binding="customBinding">

<identity>

<dns value="WCFQuickstartServer"/>

</identity>

</issuer>

<issuerMetadata address="http://localhost/SecurityTokenService/Service.svc/Mex"/>

</issuedTokenParameters>

</secureConversationBootstrap>

</security>

<!-- Required for WSE 3.0 clients -->

<textMessageEncoding messageVersion="Soap12WSAddressingAugust2004"/>

<httpTransport/>

</binding>

<binding name="ServiceX509Binding">

<security authenticationMode="SecureConversation">

<secureConversationBootstrap authenticationMode="IssuedToken"

messageProtectionOrder="SignBeforeEncrypt"

requireDerivedKeys="true"

requireSignatureConfirmation="false"

messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">

<issuedTokenParameters tokenType=" http://www.hide-link.com/ #SAMLV1.1">

<issuer address="http://localhost/SecurityTokenService/ServiceX509.svc" bindingConfiguration="MutualCertificateBinding" binding="customBinding">

<identity>

<dns value="WCFQuickstartServer"/>

</identity>

</issuer>

<issuerMetadata address="http://localhost/SecurityTokenService/ServiceX509.svc/Mex"/>

</issuedTokenParameters>

</secureConversationBootstrap>

</security>

<!-- Required for WSE 3.0 clients -->

<textMessageEncoding messageVersion="Soap12WSAddressingAugust2004"/>

<httpTransport/>

</binding>

</customBinding>

</bindings>

<behaviors>

<serviceBehaviors>

<behavior name="ServiceBehavior">

<serviceCredentials type="Rover.Services.Sts.WebServiceCredentials, Rover.Services.Sts">

<serviceCertificate findValue="CN=WCFQuickstartServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName"/>

</serviceCredentials>

<serviceMetadata httpGetEnabled="true"/>

</behavior>

</serviceBehaviors>

</behaviors>

</system.serviceModel>

and the config for the WSE 3.0 Client is as follows (note that the WSE 3.0 client did work ok with a WSE 3.0 SAML token STS created earlier)

<policies xmlns=" http://www.hide-link.com/ ">

<extensions>

<extension name="saml"

type="Microsoft.Practices.WSSP.WSE3.QuickStart.SamlAssertion.SamlPolicyAssertion, Microsoft.Practices.WSSP.WSE3.QuickStart.SamlAssertion"/>

<extension name="mutualCertificate11Security"

type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

<extension name="usernameForCertificateSecurity"

type="Microsoft.Web.Services3.Design.UsernameForCertificateAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

<extension name="x509"

type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

<extension name="requireActionHeader"

type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

</extensions>

<policy name="Sign-Saml-Username">

<!--<saml issuer="http://localhost/SamlSecurityTokenService/SamlTokenIssuer.ashx" issuerPolicy="issuerUsernamePolicy" establishSecurityContext="true" renewExpiredSecurityContext="true" requireDerivedKeys="true">-->

<saml issuer="http://localhost/SecurityTokenService/Service.svc"

issuerPolicy="issuerUsernamePolicy"

establishSecurityContext="true"

renewExpiredSecurityContext="true"

requireDerivedKeys="false"

useIssueTokenAction="true">

<protection>

<request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />

<response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />

<fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />

</protection>

</saml>

</policy>

<policy name="Sign-Saml-X509">

<!--<saml issuer="http://localhost/SamlSecurityTokenService/SamlTokenIssuer.ashx" issuerPolicy="issuerX509Policy" establishSecurityContext="true" renewExpiredSecurityContext="true" requireDerivedKeys="true">-->

<saml issuer="http://localhost/SecurityTokenService/ServiceX509.svc"

issuerPolicy="issuerX509Policy"

establishSecurityContext="true"

renewExpiredSecurityContext="true"

requireDerivedKeys="false"

useIssueTokenAction="true">

<protection>

<request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />

<response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />

<fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />

</protection>

</saml>

</policy>

<policy name="issuerUsernamePolicy">

<usernameForCertificateSecurity establishSecurityContext="false"

renewExpiredSecurityContext="false"

requireSignatureConfirmation="false"

messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"

requireDerivedKeys="false">

<serviceToken>

<!--<x509 storeLocation="CurrentUser" storeName="AddressBook" findValue="CN=WSE2QuickStartServer" findType="FindBySubjectDistinguishedName" />-->

<x509 storeLocation="LocalMachine" storeName="My" findValue="CN=WCFQuickStartServer" findType="FindBySubjectDistinguishedName" />

</serviceToken>

<protection>

<!--

<request signatureOptions="IncludeSoapBody" encryptBody="true" />

-->

<request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />

<response signatureOptions="IncludeSoapBody" encryptBody="true" />

<fault signatureOptions="IncludeSoapBody" encryptBody="false" />

</protection>

</usernameForCertificateSecurity>

<requireActionHeader/>

</policy>

<policy name="issuerX509Policy">

<mutualCertificate11Security establishSecurityContext="false"

renewExpiredSecurityContext="false"

requireSignatureConfirmation="false"

messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"

requireDerivedKeys="true">

<serviceToken>

<!--<x509 storeLocation="CurrentUser" storeName="AddressBook" findValue="CN=WSE2QuickStartServer" findType="FindBySubjectDistinguishedName" />-->

<x509 storeLocation="LocalMachine" storeName="My" findValue="CN=WCFQuickStartServer" findType="FindBySubjectDistinguishedName" />

</serviceToken>

<protection>

<!--

<request signatureOptions="IncludeSoapBody" encryptBody="true" />

-->

<request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />

<response signatureOptions="IncludeSoapBody" encryptBody="true" />

<fault signatureOptions="IncludeSoapBody" encryptBody="false" />

</protection>

</mutualCertificate11Security>

<requireActionHeader/>

</policy>

</policies>

thnx for any help - dave


.NET Development32  
 
 
VS2003
PostPosted: ASMX Web Services and XML Serialization, WSE 3.0 Client + WCF STS + WCF Service Top

Hi Dave,

I am having a similar problem, the only difference is that I am in no better shape then you.Could you share your code where the WSE 3.0 client is able to retrieve the SAML token or even if you could let me know how you are adding a refrence to STS..that would help...

Thanks in advance
 
 
 
Index .NET Development ASMX Web Services and XML Serialization